Merge pull request #4357 from sarthurdev/T7148

firewall: T7148: Bridge state-policy uses drop in place of reject
vyos · Feb 22, 2025 · 5d9d232 · 5d9d232
2 parents b7ce1c1 + ac890f5
commit 5d9d232
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 7 deletions.
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
@@ -435,13 +435,13 @@ table bridge vyos_filter {
 {% if global_options.state_policy is vyos_defined %}
     chain VYOS_STATE_POLICY {
 {%     if global_options.state_policy.established is vyos_defined %}
-        {{ global_options.state_policy.established | nft_state_policy('established') }}
+        {{ global_options.state_policy.established | nft_state_policy('established', bridge=True) }}
 {%     endif %}
 {%     if global_options.state_policy.invalid is vyos_defined %}
-        {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+        {{ global_options.state_policy.invalid | nft_state_policy('invalid', bridge=True) }}
 {%     endif %}
 {%     if global_options.state_policy.related is vyos_defined %}
-        {{ global_options.state_policy.related | nft_state_policy('related') }}
+        {{ global_options.state_policy.related | nft_state_policy('related', bridge=True) }}
 {%     endif %}
         return
     }

diff --git a/python/vyos/template.py b/python/vyos/template.py
@@ -612,12 +612,17 @@ def nft_default_rule(fw_conf, fw_name, family):
     return " ".join(output)
 
 @register_filter('nft_state_policy')
-def nft_state_policy(conf, state):
+def nft_state_policy(conf, state, bridge=False):
     out = [f'ct state {state}']
 
+    action = conf['action'] if 'action' in conf else None
+
+    if bridge and action == 'reject':
+        action = 'drop' # T7148 - Bridge cannot use reject
+
     if 'log' in conf:
         log_state = state[:3].upper()
-        log_action = (conf['action'] if 'action' in conf else 'accept')[:1].upper()
+        log_action = (action if action else 'accept')[:1].upper()
         out.append(f'log prefix "[STATE-POLICY-{log_state}-{log_action}]"')
 
         if 'log_level' in conf:
@@ -626,8 +631,8 @@ def nft_state_policy(conf, state):
 
     out.append('counter')
 
-    if 'action' in conf:
-        out.append(conf['action'])
+    if action:
+        out.append(action)
 
     return " ".join(out)
 

diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
@@ -658,6 +658,13 @@ def test_ipv4_global_state(self):
 
         self.verify_nftables(nftables_search, 'ip vyos_filter')
 
+        # T7148 - Ensure bridge rule reject -> drop
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'reject'])
+        self.cli_commit()
+
+        self.verify_nftables([['ct state invalid', 'reject']], 'ip vyos_filter')
+        self.verify_nftables([['ct state invalid', 'drop']], 'bridge vyos_filter')
+
         # Check conntrack is enabled from state-policy
         self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK')
         self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK')